feat: audit signatures verifies attestations

DEPENDENCIES.md

@@ -714,6 +714,7 @@ graph LR;
   pacote-->promise-retry;
   pacote-->read-package-json-fast;
   pacote-->read-package-json;
+  pacote-->sigstore;
   pacote-->ssri;
   pacote-->tar;
   parse-conflict-json-->json-parse-even-better-errors;

lib/commands/audit.js

@@ -24,7 +24,8 @@ class VerifySignatures {
     this.missing = []
     this.checkedPackages = new Set()
     this.auditedWithKeysCount = 0
-    this.verifiedCount = 0
+    this.verifiedSignatureCount = 0
+    this.verifiedAttestationCount = 0
     this.exitCode = 0
   }
 
@@ -78,12 +79,25 @@ class VerifySignatures {
     this.npm.output(timing)
     this.npm.output('')
 
-    if (this.verifiedCount) {
-      const verifiedBold = this.npm.chalk.bold('verified')
-      if (this.verifiedCount === 1) {
-        this.npm.output(`${this.verifiedCount} package has a ${verifiedBold} registry signature`)
+    const verifiedBold = this.npm.chalk.bold('verified')
+    if (this.verifiedSignatureCount) {
+      if (this.verifiedSignatureCount === 1) {
+        /* eslint-disable-next-line max-len */
+        this.npm.output(`${this.verifiedSignatureCount} package has a ${verifiedBold} registry signature`)
+      } else {
+        /* eslint-disable-next-line max-len */
+        this.npm.output(`${this.verifiedSignatureCount} packages have ${verifiedBold} registry signatures`)
+      }
+      this.npm.output('')
+    }
+
+    if (this.verifiedAttestationCount) {
+      if (this.verifiedAttestationCount === 1) {
+        /* eslint-disable-next-line max-len */
+        this.npm.output(`${this.verifiedAttestationCount} package has a ${verifiedBold} attestation`)
       } else {
-        this.npm.output(`${this.verifiedCount} packages have ${verifiedBold} registry signatures`)
+        /* eslint-disable-next-line max-len */
+        this.npm.output(`${this.verifiedAttestationCount} packages have ${verifiedBold} attestations`)
       }
       this.npm.output('')
     }
@@ -110,19 +124,35 @@ class VerifySignatures {
       const invalidClr = this.npm.chalk.bold(this.npm.chalk.red('invalid'))
       // We can have either invalid signatures or invalid provenance
       const invalidSignatures = this.invalid.filter(i => i.code === 'EINTEGRITYSIGNATURE')
-      if (invalidSignatures.length === 1) {
-        this.npm.output(`1 package has an ${invalidClr} registry signature:`)
-      // } else if (invalidSignatures.length > 1) {
-      } else {
-        // TODO move this back to an else if once provenance attestation audit is added
-        /* eslint-disable-next-line max-len */
-        this.npm.output(`${invalidSignatures.length} packages have ${invalidClr} registry signatures:`)
+      if (invalidSignatures.length) {
+        if (invalidSignatures.length === 1) {
+          this.npm.output(`1 package has an ${invalidClr} registry signature:`)
+        } else {
+          /* eslint-disable-next-line max-len */
+          this.npm.output(`${invalidSignatures.length} packages have ${invalidClr} registry signatures:`)
+        }
+        this.npm.output('')
+        invalidSignatures.map(i =>
+          this.npm.output(`${this.npm.chalk.red(`${i.name}@${i.version}`)} (${i.registry})`)
+        )
+        this.npm.output('')
       }
-      this.npm.output('')
-      invalidSignatures.map(i =>
-        this.npm.output(`${this.npm.chalk.red(`${i.name}@${i.version}`)} (${i.registry})`)
-      )
-      this.npm.output('')
+
+      const invalidAttestations = this.invalid.filter(i => i.code === 'EATTESTATIONVERIFY')
+      if (invalidAttestations.length) {
+        if (invalidAttestations.length === 1) {
+          this.npm.output(`1 package has an ${invalidClr} attestation:`)
+        } else {
+          /* eslint-disable-next-line max-len */
+          this.npm.output(`${invalidAttestations.length} packages have ${invalidClr} attestations:`)
+        }
+        this.npm.output('')
+        invalidAttestations.map(i =>
+          this.npm.output(`${this.npm.chalk.red(`${i.name}@${i.version}`)} (${i.registry})`)
+        )
+        this.npm.output('')
+      }
+
       if (invalid.length === 1) {
         /* eslint-disable-next-line max-len */
         this.npm.output(`Someone might have tampered with this package since it was published on the registry!`)
@@ -252,16 +282,19 @@ class VerifySignatures {
     const {
       _integrity: integrity,
       _signatures,
+      _attestations,
       _resolved: resolved,
     } = await pacote.manifest(`${name}@${version}`, {
       verifySignatures: true,
+      verifyAttestations: true,
       ...this.buildRegistryConfig(registry),
       ...this.npm.flatOptions,
     })
     const signatures = _signatures || []
     const result = {
       integrity,
       signatures,
+      attestations: _attestations,
       resolved,
     }
     return result
@@ -287,14 +320,14 @@ class VerifySignatures {
     }
 
     try {
-      const { integrity, signatures, resolved } = await this.verifySignatures(
+      const { integrity, signatures, attestations, resolved } = await this.verifySignatures(
         name, version, registry
       )
 
       // Currently we only care about missing signatures on registries that provide a public key
       // We could make this configurable in the future with a strict/paranoid mode
       if (signatures.length) {
-        this.verifiedCount += 1
+        this.verifiedSignatureCount += 1
       } else if (keys.length) {
         this.missing.push({
           integrity,
@@ -305,17 +338,26 @@ class VerifySignatures {
           version,
         })
       }
+
+      // Track verified attestations separately to registry signatures, as all
+      // packages on registries with signing keys are expected to have registry
+      // signatures, but not all packages have provenance and publish attestations.
+      if (attestations) {
+        this.verifiedAttestationCount += 1
+      }
     } catch (e) {
-      if (e.code === 'EINTEGRITYSIGNATURE') {
+      if (e.code === 'EINTEGRITYSIGNATURE' || e.code === 'EATTESTATIONVERIFY') {
         this.invalid.push({
           code: e.code,
+          message: e.message,
           integrity: e.integrity,
           keyid: e.keyid,
           location,
           name,
           registry,
           resolved: e.resolved,
           signature: e.signature,
+          predicateType: e.predicateType,
           type,
           version,
         })

node_modules/pacote/lib/registry.js

@@ -7,6 +7,8 @@ const rpj = require('read-package-json-fast')
 const pickManifest = require('npm-pick-manifest')
 const ssri = require('ssri')
 const crypto = require('crypto')
+const npa = require('npm-package-arg')
+const { sigstore } = require('sigstore')
 
 // Corgis are cute. 🐕🐶
 const corgiDoc = 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*'
@@ -203,7 +205,118 @@ class RegistryFetcher extends Fetcher {
           mani._signatures = dist.signatures
         }
       }
+
+      if (dist.attestations) {
+        if (this.opts.verifyAttestations) {
+          // Always fetch attestations from the current registry host
+          const attestationsPath = new URL(dist.attestations.url).pathname
+          const attestationsUrl = removeTrailingSlashes(this.registry) + attestationsPath
+          const res = await fetch(attestationsUrl, {
+            ...this.opts,
+            // disable integrity check for attestations json payload, we check the
+            // integrity in the verification steps below
+            integrity: null,
+          })
+          const { attestations } = await res.json()
+          const bundles = attestations.map(({ predicateType, bundle }) => {
+            const statement = JSON.parse(
+              Buffer.from(bundle.dsseEnvelope.payload, 'base64').toString('utf8')
+            )
+            const keyid = bundle.dsseEnvelope.signatures[0].keyid
+            const signature = bundle.dsseEnvelope.signatures[0].sig
+
+            return {
+              predicateType,
+              bundle,
+              statement,
+              keyid,
+              signature,
+            }
+          })
+
+          const attestationKeyIds = bundles.map((b) => b.keyid).filter((k) => !!k)
+          const attestationRegistryKeys = (this.registryKeys || [])
+            .filter(key => attestationKeyIds.includes(key.keyid))
+          if (!attestationRegistryKeys.length) {
+            throw Object.assign(new Error(
+              `${mani._id} has attestations but no corresponding public key(s) can be found`
+            ), { code: 'EMISSINGSIGNATUREKEY' })
+          }
+
+          for (const { predicateType, bundle, keyid, signature, statement } of bundles) {
+            const publicKey = attestationRegistryKeys.find(key => key.keyid === keyid)
+            // Publish attestations have a keyid set and a valid public key must be found
+            if (keyid) {
+              if (!publicKey) {
+                throw Object.assign(new Error(
+                  `${mani._id} has attestations with keyid: ${keyid} ` +
+                  'but no corresponding public key can be found'
+                ), { code: 'EMISSINGSIGNATUREKEY' })
+              }
+
+              const validPublicKey =
+                !publicKey.expires || (Date.parse(publicKey.expires) > Date.now())
+              if (!validPublicKey) {
+                throw Object.assign(new Error(
+                  `${mani._id} has attestations with keyid: ${keyid} ` +
+                  `but the corresponding public key has expired ${publicKey.expires}`
+                ), { code: 'EEXPIREDSIGNATUREKEY' })
+              }
+            }
+
+            const subject = {
+              name: statement.subject[0].name,
+              sha512: statement.subject[0].digest.sha512,
+            }
+
+            // Only type 'version' can be turned into a PURL
+            const purl = this.spec.type === 'version' ? npa.toPurl(this.spec) : this.spec
+            // Verify the statement subject matches the package, version
+            if (subject.name !== purl) {
+              throw Object.assign(new Error(
+                `${mani._id} package name and version (PURL): ${purl} ` +
+                `doesn't match what was signed: ${subject.name}`
+              ), { code: 'EATTESTATIONSUBJECT' })
+            }
+
+            // Verify the statement subject matches the tarball integrity
+            const integrityHexDigest = ssri.parse(this.integrity).hexDigest()
+            if (subject.sha512 !== integrityHexDigest) {
+              throw Object.assign(new Error(
+                `${mani._id} package integrity (hex digest): ` +
+                `${integrityHexDigest} ` +
+                `doesn't match what was signed: ${subject.sha512}`
+              ), { code: 'EATTESTATIONSUBJECT' })
+            }
+
+            try {
+              // Provenance attestations are signed with a signing certificate
+              // (including the key) so we don't need to return a public key.
+              //
+              // Publish attestations are signed with a keyid so we need to
+              // specify a public key from the keys endpoint: `registry-host.tld/-/npm/v1/keys`
+              const options = { keySelector: publicKey ? () => publicKey.pemkey : undefined }
+              await sigstore.verify(bundle, null, options)
+            } catch (e) {
+              throw Object.assign(new Error(
+                `${mani._id} failed to verify attestation: ${e.message}`
+              ), {
+                code: 'EATTESTATIONVERIFY',
+                predicateType,
+                keyid,
+                signature,
+                resolved: mani._resolved,
+                integrity: mani._integrity,
+              })
+            }
+          }
+          mani._attestations = dist.attestations
+        } else {
+          mani._attestations = dist.attestations
+        }
+      }
     }
+
     this.package = mani
     return this.package
   }

node_modules/pacote/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pacote",
-  "version": "15.0.8",
+  "version": "15.1.0",
   "description": "JavaScript package downloader",
   "author": "GitHub Inc.",
   "bin": {
@@ -27,7 +27,7 @@
   "devDependencies": {
     "@npmcli/arborist": "^6.0.0 || ^6.0.0-pre.0",
     "@npmcli/eslint-config": "^4.0.0",
-    "@npmcli/template-oss": "4.11.0",
+    "@npmcli/template-oss": "4.11.4",
     "hosted-git-info": "^6.0.0",
     "mutate-fs": "^2.1.1",
     "nock": "^13.2.4",
@@ -59,6 +59,7 @@
     "promise-retry": "^2.0.1",
     "read-package-json": "^6.0.0",
     "read-package-json-fast": "^3.0.0",
+    "sigstore": "^1.0.0",
     "ssri": "^10.0.0",
     "tar": "^6.1.11"
   },
@@ -71,7 +72,7 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.11.0",
+    "version": "4.11.4",
     "windowsCI": false
   }
 }

package-lock.json

@@ -133,7 +133,7 @@
         "npm-user-validate": "^2.0.0",
         "npmlog": "^7.0.1",
         "p-map": "^4.0.0",
-        "pacote": "^15.0.8",
+        "pacote": "^15.1.0",
         "parse-conflict-json": "^3.0.0",
         "proc-log": "^3.0.0",
         "qrcode-terminal": "^0.12.0",
@@ -9869,9 +9869,9 @@
       }
     },
     "node_modules/pacote": {
-      "version": "15.0.8",
-      "resolved": "https://registry.npmjs.org/pacote/-/pacote-15.0.8.tgz",
-      "integrity": "sha512-UlcumB/XS6xyyIMwg/WwMAyUmga+RivB5KgkRwA1hZNtrx+0Bt41KxHCvg1kr0pZ/ZeD8qjhW4fph6VaYRCbLw==",
+      "version": "15.1.0",
+      "resolved": "https://registry.npmjs.org/pacote/-/pacote-15.1.0.tgz",
+      "integrity": "sha512-FFcjtIl+BQNfeliSm7MZz5cpdohvUV1yjGnqgVM4UnVF7JslRY0ImXAygdaCDV0jjUADEWu4y5xsDV8brtrTLg==",
       "inBundle": true,
       "dependencies": {
         "@npmcli/git": "^4.0.0",
@@ -9889,6 +9889,7 @@
         "promise-retry": "^2.0.1",
         "read-package-json": "^6.0.0",
         "read-package-json-fast": "^3.0.0",
+        "sigstore": "^1.0.0",
         "ssri": "^10.0.0",
         "tar": "^6.1.11"
       },
@@ -11142,6 +11143,7 @@
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/sigstore/-/sigstore-1.0.0.tgz",
       "integrity": "sha512-e+qfbn/zf1+rCza/BhIA//Awmf0v1pa5HQS8Xk8iXrn9bgytytVLqYD0P7NSqZ6IELTgq+tcDvLPkQjNHyWLNg==",
+      "inBundle": true,
       "dependencies": {
         "make-fetch-happen": "^11.0.1",
         "tuf-js": "^1.0.0"
@@ -14065,6 +14067,7 @@
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/tuf-js/-/tuf-js-1.0.0.tgz",
       "integrity": "sha512-1dxsQwESDzACJjTdYHQ4wJ1f/of7jALWKfJEHSBWUQB/5UTJUx9SW6GHXp4mZ1KvdBRJCpGjssoPFGi4hvw8/A==",
+      "inBundle": true,
       "dependencies": {
         "make-fetch-happen": "^11.0.1",
         "minimatch": "^6.1.0"

package.json

@@ -102,7 +102,7 @@
     "npm-user-validate": "^2.0.0",
     "npmlog": "^7.0.1",
     "p-map": "^4.0.0",
-    "pacote": "^15.0.8",
+    "pacote": "^15.1.0",
     "parse-conflict-json": "^3.0.0",
     "proc-log": "^3.0.0",
     "qrcode-terminal": "^0.12.0",